Scanning for Conficker’s peer to peer

With the help of Symantec's Security Intelligence Analysis Team, I've put together a script that'll detect Conficker (.C and up) based on its peer to peer ports. The script is called p2p-conficker.nse, and automatically runs against any Windows system when scripts are being used:

And finally, if one or more ports come back with a possible infection (invalid data or an incorrect checksum), you should be cautious -- it could indicate an infection and a flaky network or a different generation of the worm (what are the chances of two random ports being open?) This might look like this:

If it says I'm clean, how sure is it?

Unfortunately, this check, like my other Conficker check, isn't 100% reliable. There are several factors here:

This peer to peer first appeared in Conficker.C, so Conficker.A and Conficker.B won't be detected

It relies on connecting to Conficker's ports -- firewalls or port filters can block this

If the host is multihomed or NATed, the wrong ports will be generated. If you know its real IP, see the sample commands below

If the Windows ports are blocked (445/139), the check won't run by default. This behaviour can be overridden, see the sample commands below

How does this work?

When Conficker.C or higher infects a system, it opens four ports for communication (two TCP and two UDP). It uses these to connect to other infected hosts to send/receive updates and other information. These ports are based on two factors: a) the IP address, and b) the current time (the weeks since Jan 1 1970).

Thanks to research by Symantec (and others), the port-generation algorithm and the protocol have been discovered, and that's what I implemented in my script. Each packet has an encryption key, some data and a checksum (encrypted), and some noise. By sending a packet to an infected host on any of its ports, the host will respond. That response indicates an infection.

Hi Ron, it seems that I do not know how to run that scan properly although that I just copied the command and changed the string of course. But the output I get whether I use older scripts or the new one, which is testing Conficker and 3 others security issues in none of them I'm getting the output I should. I used "nmap -p 445 -T4 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args safe=1 " with valid target IP and the output I got was about 9 lines telling me just that host is up, the port is filtered and that that target was scannedin 1.88 seconds. This happens with ZenMap and also Nmap running through command line by mi own, in both cases as an admin on Windows Vista. I just want to get that Host script results: